Table of Contents
Preface |
1 |
Chapter 1: Point-to-Point Networks |
7 |
Introduction |
7 |
Shortest setup possible |
8 |
OpenVPN secret keys |
10 |
Multiple secret keys |
12 |
Plaintext tunnel |
15 |
Routing |
16 |
Configuration files versus the command-line |
20 |
Complete site-to-site setup |
22 |
3-way routing |
25 |
Chapter 2: Client-server IP-only Networks |
31 |
Introduction |
31 |
Setting up the public and private keys |
32 |
Simple configuration |
38 |
Server-side routing |
40 |
Using 'client-config-dir' files |
46 |
Routing: subnets on both sides |
49 |
Redirecting the default gateway |
52 |
Using an 'ifconfig-pool' block |
54 |
Using the status file |
59 |
Management interface |
63 |
Proxy-arp |
65 |
Chapter 3: Client-server Ethernet-style Networks |
69 |
Introduction |
69 |
Simple configuration—non-bridged |
70 |
Enabling client-to-client traffic |
74 |
Bridging—Linux |
78 |
Table of Contents |
|
|
|
|
|
Bridging—Windows |
83 |
|
Checking broadcast and non-IP traffic |
86 |
|
External DHCP server |
90 |
|
Using the status file |
95 |
|
Management interface |
98 |
|
Chapter 4: PKI, Certificates, and OpenSSL |
103 |
|
Introduction |
103 |
|
Certificate generation |
104 |
|
xCA: a GUI for managing a PKI (Part 1) |
106 |
|
xCA: a GUI for managing a PKI (Part 2) |
108 |
|
OpenSSL tricks: x509, pkcs12, verify output |
112 |
|
Revoking certificates |
114 |
|
The use of CRLs |
116 |
|
Checking expired/revoked certificates |
118 |
|
Intermediary CAs |
120 |
|
Multiple CAs: stacking, using --capath |
122 |
|
Chapter 5: Two-factor Authentication with PKCS#11 |
127 |
|
Introduction |
127 |
|
Initializing a hardware token |
128 |
|
Getting a hardware token ID |
131 |
|
Using a hardware token |
133 |
|
Using the management interface to list PKCS#11 certificates |
136 |
|
Selecting a PKCS#11 certificate using the management interface |
139 |
|
Generating a key on the hardware token |
142 |
|
Private method for getting a PKCS#11 certificate |
146 |
|
Pin caching example |
148 |
|
Chapter 6: Scripting and Plugins |
153 |
|
Introduction |
153 |
|
Using a client-side up/down script |
154 |
|
Windows login greeter |
158 |
|
Using client-connect/client-disconnect scripts |
161 |
|
Using a 'learn-address' script |
165 |
|
Using a 'tls-verify' script |
168 |
|
Using an 'auth-user-pass-verify' script |
171 |
|
Script order |
174 |
|
Script security and logging |
177 |
|
Using the 'down-root' plugin |
180 |
|
Using the PAM authentication plugin |
183 |
|
ii
|
Table of Contents |
|
|
Chapter 7: Troubleshooting OpenVPN: Configurations |
187 |
Introduction |
187 |
Cipher mismatches |
188 |
TUN versus TAP mismatches |
189 |
Compression mismatches |
191 |
Key mismatches |
193 |
Troubleshooting MTU and tun-mtu issues |
195 |
Troubleshooting network connectivity |
197 |
Troubleshooting 'client-config-dir' issues |
198 |
How to read the OpenVPN log files |
201 |
Chapter 8: Troubleshooting OpenVPN: Routing |
207 |
Introduction |
207 |
The missing return route |
208 |
Missing return routes when 'iroute' is used |
211 |
All clients function except the OpenVPN endpoints |
214 |
Source routing |
217 |
Routing and permissions on Windows |
220 |
Troubleshooting client-to-client traffic routing |
222 |
Understanding the 'MULTI: bad source' warnings |
225 |
Failure when redirecting the default gateway |
227 |
Chapter 9: Performance Tuning |
233 |
Introduction |
233 |
Optimizing performance using 'ping' |
234 |
Optimizing performance using 'iperf' |
236 |
OpenSSL cipher speed |
239 |
Compression tests |
241 |
Traffic shaping |
244 |
Tuning UDP-based connections |
246 |
Tuning TCP-based connections |
249 |
Analyzing performance using tcpdump |
253 |
Chapter 10: OS Integration |
255 |
Introduction |
255 |
Linux: using NetworkManager |
256 |
Linux: using 'pull-resolv-conf' |
260 |
MacOS: using Tunnelblick |
262 |
Windows Vista/7: elevated privileges |
266 |
Windows: using the CryptoAPI store |
269 |
Windows: updating the DNS cache |
273 |
iii 
Table of Contents |
|
|
|
|
|
Windows: running OpenVPN as a service |
275 |
|
Windows: public versus private network adapters |
280 |
|
Windows: routing methods |
282 |
|
Chapter 11: Advanced Configuration |
285 |
|
Introduction |
285 |
|
Including configuration files in config files |
286 |
|
Multiple remotes and remote-random |
288 |
|
Details of ifconfig-pool-persist |
291 |
|
Connecting using a SOCKS proxy |
294 |
|
Connecting via an HTTP proxy |
297 |
|
Connecting via an HTTP proxy with authentication |
300 |
|
Using dyndns |
303 |
|
IP-less setups (ifconfig-noexec) |
306 |
|
Chapter 12: New Features of OpenVPN 2.1 and 2.2 |
311 |
|
Introduction |
311 |
|
Inline certificates |
312 |
|
Connection blocks |
314 |
|
Port sharing with an HTTPS server |
317 |
|
Routing features: redirect-private, allow-pull-fqdn |
319 |
|
Handing out the public IPs |
322 |
|
OCSP support |
325 |
|
New for 2.2: the 'x509_user_name' parameter |
328 |
|
Index |
331 |
|
iv